The recent talk of a so‑called “SaaSpocalypse” got me thinking. Technology is always evolving, and with it comes a familiar pattern of excitement, over‑expectation and eventual reset followed by rational normality. I remember business cases that claimed email would dramatically improve productivity (it didn’t), and writing a paper about the risks of the “imminent” integrated desktop with video conferencing back in 1999. My mobile phone still doesn’t work reliably on UK trains. It’s better than it was in 1989, but the point remains: technology development moves faster than the required infrastructure, governance and operating models needed to realise its full value. AI is no different.
The current reset has seen investors question whether rapid advances in automation and so‑called “agentic AI” could fundamentally disrupt established business models, particularly in professional, software‑enabled and services‑led industries. Those concerns are understandable.
To understand what this means for cyber security, it’s important to examine the practical implications in more detail.
Let’s be honest about the implications: AI is already changing how parts of cyber security are delivered. Pretending otherwise would be naïve.
In areas such as security testing, AI can automate and accelerate repeatable tasks. This is reflected in pressure on highly commoditised testing models across the industry, alongside challenges to traditional assumptions about pricing and delivery. Where judgement, context and assurance are required - particularly in complex and regulated environments - specialist consulting continues to be high value, consistent with the way the market has evolved as tooling has improved. value, consistent with the way the market has evolved as tooling has improved.
In managed cyber services, intelligent automation is improving detection, response and orchestration. That raises expectations around speed, efficiency and cost and there is also a broader execution risk, AI accelerates technology cycles. Skills, delivery models and governance all need to adapt faster if companies do not wish to fall behind. These are real risks, and they deserve to be taken seriously. But they are only half the story.
Much of the current debate focuses on what AI can automate. Far less attention is paid to what it cannot remove: responsibility for outcomes, governance, regulatory accountability, and the need for informed human judgement when systems fail, behave unpredictably, or collide with legacy environments and technical debt.
Cyber security exists because technology creates risk. AI doesn’t remove that risk - it expands it.
AI lowers the barrier to entry for attackers, increasing speed, scale and sophistication. At the same time, as organisations embed AI into their operations, technology environments become more complex, more interconnected and more consequential. Decisions are automated, operating models are embedded into critical processes, and the cost of failure rises. Many organisations are also building on legacy foundations that were never designed for AI.
That reality creates these enduring opportunities in cyber security.
Scaling security without sacrificing assurance
AI allows certain cyber security activities to be delivered more efficiently and more consistently. That is a good thing. It enables scale, resilience and clearer outcomes for clients.
But efficiency is not the same as assurance.
As automation increases, human judgement becomes more valuable, not less. Complex systems, regulated environments and high‑impact decisions still require experienced specialists who understand context, intent and consequence.
At NCC Group, our focus is not on replacing expertise with automation, but on combining intelligent tools with trusted human oversight. This hybrid approach allows us to scale delivery while maintaining the standards our clients, regulators and partners expect. That means investing in internal innovation where differentiation and assurance matter, while also working carefully with chosen partners where that accelerates secure, high - assurance delivery for clients.
Stronger managed services built on intelligence and trust
In managed services, AI enhances our ability to detect threats earlier, respond faster and manage environments more effectively. But managed security is not simply a technology problem. It is a trust problem.
Clients increasingly care about outcomes, resilience and accountability, not just transactional pricing. When incidents occur, they expect transparency, informed judgement and clear ownership of decisions.
AI supports our teams; it does not replace them. Skilled professionals remain essential to oversee systems, manage exceptions and respond to novel or high‑severity threats. The combination of automation and expertise creates more resilient services and supports deeper, longer‑term client relationships.
New demand that’s driven by AI‑specific risks
As organisations embed AI into critical business processes, they face entirely new categories of risk - from data integrity and model behaviour to governance, resilience and regulation.
Securing AI systems is quickly becoming a core part of enterprise cyber security, not a niche add‑on. That work requires deep technical understanding, independent assurance and strong governance - areas where NCC Group has built its reputation over more than two decades.
Building a business that evolves with technology
AI is reshaping the cyber security market, but it does not change our purpose. There is ongoing debate about the pace and impact of AI, with sentiment varying across stakeholders.
Our responsibility is to stay focused on the fundamentals: how risk is changing, what clients genuinely need, and how we adapt our capabilities accordingly.
I started out with reflections about how technology evolves. The fact is it does but often the infrastructure takes time to catch up (if it ever does) before the real benefits are realised. It’s not that my mobile can’t work on a train or at home, it’s just that the infrastructure hasn’t caught up. AI is similar. It is reshaping cyber security, but it does not reduce the importance of cyber security.
Mike Maddison, CEO, NCC Group